CVE-2021-3802: 
NixOS vulnerability analysis and mitigation

CVE-2021-3802 is a vulnerability discovered in udisks2, a service used to access and manipulate storage devices. The vulnerability was disclosed on November 29, 2021. The flaw affects the mount helpers of various Linux distributions and desktop environments, including Linux kernel 5.13.4-arch1-1, gio glib2 2.68.3-1, kio 5.84.0-2, and udisks2 2.9.2-1 (SYSS Advisory).

The vulnerability exists in the way ext2/3/4 file systems handle the 's_errors' flag in the superblock, which contains metadata about the file system. When this flag is set to trigger a kernel panic upon encountering errors, and combined with a manually introduced error in the file system image, it can lead to an automatic denial of service upon mounting. This behavior affects multiple desktop environments including KDE, XFCE, and GNOME, both through GUI/file manager and directly with 'gio(1)' or 'udisksctl(1)' (SYSS Advisory).

The vulnerability allows an attacker to cause a denial of service through a system crash by mounting a corrupted or specially crafted ext2/3/4 device or image. This is particularly concerning in environments where storage media like USB sticks are automatically mounted upon connection, or where unprivileged users can trigger mounts (Debian LTS).

The issue has been fixed in udisks2 version 2.9.4. The recommended mitigation is to explicitly specify the mount option 'errors=' which overrides the field value set in the file system itself. For example, using 'errors=remount-ro' will cause the file system to be remounted read-only in case of errors instead of triggering a kernel panic. Users should also treat unknown file system images as unsafe and run 'fsck' before mounting to ensure they don't contain any errors (SYSS Advisory).